Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System

Summary

Redhat provided OpenSSH is used by IBM Integrated Analytics System. This bulletin provides mitigation for the reported CVE.

Vulnerability Details

CVEID:CVE-2020-14145
**DESCRIPTION:**OpenSSH is vulnerable to a man-in-the-middle attack, caused by an observable discrepancy flaw. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation for reported CVE CVE-2020-14145is as follows:

• This is a flaw in OpenSSH, which allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. An attacker could use this information to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack.

This essentially means that this flaw can help attacker’s identify targets an MITM attack. However such a attack would still require the attacker to either have control over DNS or control over the network traffic.

If the network is untrusted, we suggests the use ssh certificates for even more confidence and less human factor involved or gssapi key exchange, where kerberos is used to verify identity of the server.

• Always connect to SSH servers with verified host keys to avoid any possibilities of man-in-the-middle attack.